AstraCipher

Cryptographic Identity & Trust Protocol for AI Agents

The "SSL certificates" for the AI agent economy. Open-source protocol that gives every AI agent a verifiable, cryptographic identity.

---

The Problem

AI agents are operating across enterprise systems with zero identity verification. No one can answer:

• Which agent performed this action?
• Was it authorized?
• Can we prove compliance to regulators?

MCP servers expose powerful tools, but any agent can call any tool. There's no authentication, no authorization, no audit trail.

The Solution

AstraCipher is a W3C-standards-based protocol that provides:

• Decentralized Identifiers (DIDs) --- Unique, cryptographic identity for every agent (did:astracipher:mainnet:abc123)
• Verifiable Credentials --- Signed attestations of capabilities, permissions, and trust levels
• Trust Chains --- Delegated authority with depth limits (Creator -> Authorizer -> Agent -> Sub-agent)
• Post-Quantum Cryptography --- ML-DSA-65 + ECDSA P-256 hybrid signatures (FIPS 204 compliant)
• Compliance Modules --- Generate regulatory-ready reports for 10+ frameworks worldwide

Why Now

• 850M+ AI agents expected by 2030 (Gartner)
• MCP adopted by Anthropic, OpenAI, Google, Microsoft --- but has no identity layer
• AAIF (Linux Foundation + Anthropic) defines agent interoperability --- AstraCipher provides the missing identity primitive
• EU AI Act enforcement begins 2025-2026, requiring traceability for high-risk AI systems
• NIST AI RMF and ISO 42001 becoming enterprise prerequisites

Quick Start

CLI

# Install the CLI
npm install -g @astracipher/cli

# Initialize AstraCipher in your project
astracipher init

# Generate post-quantum key pair
astracipher keygen --algo hybrid

# Create an agent identity (DID)
astracipher create --name "my-data-agent" --key .astracipher/keys/agent.pub.json

# Issue a credential
astracipher issue \
  --did did:astracipher:testnet:abc123 \
  --capabilities read,write \
  --trust-level 8 \
  --validity 365d

# Verify a credential
astracipher verify --credential ./credential.json

SDK (TypeScript)

import { AstraCipherClient } from '@astracipher/core';
import { HybridKeyManager } from '@astracipher/crypto';

const keyManager = new HybridKeyManager();
const keyPair = await keyManager.generateKeyPair('hybrid');

const client = new AstraCipherClient({ keyManager });
const did = await client.createDID('my-agent', keyPair);
const credential = await client.issueCredential(did, {
  capabilities: ['read', 'write'],
  trustLevel: 8,
});
const result = await client.verifyCredential(credential);

MCP Integration

Any MCP-compatible AI agent (Claude, GPT, etc.) can use AstraCipher tools:

{
  "mcpServers": {
    "astracipher": {
      "command": "npx",
      "args": ["@astracipher/mcp-server"]
    }
  }
}

Available MCP tools:

• create_agent_identity --- Create a DID for an agent
• verify_agent --- Verify an agent's credential
• check_permissions --- Check agent permissions for a resource
• inspect_credential --- View credential details

Architecture

+----------------------------------------------------------+
|                    AstraCipher Protocol                     |
+---------------+----------------+-------------------------+
|  @astracipher/  |  @astracipher/   |  @astracipher/            |
|    crypto     |     core       |   compliance-*          |
|  (PQC keys,   |  (DIDs, VCs,   |  (DPDP, EU AI Act,     |
|   signing)    |  trust chain)  |   GDPR, SEBI, ...)     |
+---------------+----------------+-------------------------+
|                   Integration Layer                       |
|  +--------------+  +-------------+  +------------------+ |
|  | MCP Server   |  | A2A Adapter |  |   REST API       | |
|  | (AI agents)  |  | (Google A2A)|  |   (server)       | |
|  +--------------+  +-------------+  +------------------+ |
+----------------------------------------------------------+

Packages

Core Protocol (BSL 1.1 --- Open Source)

Package	Description	Status
@astracipher/crypto	Post-quantum cryptographic primitives (ML-DSA-65, ML-KEM-768, ECDSA P-256, hybrid)	Core
@astracipher/core	DID management, credential issuance/verification, trust chains	Core
@astracipher/cli	Command-line interface for all AstraCipher operations	Core
@astracipher/compliance-core	Pluggable compliance engine for regulatory frameworks	Core
@astracipher/sdk-python	Python SDK for AstraCipher protocol	Core

Integrations (BSL 1.1)

Package	Description
@astracipher/mcp-server	MCP integration --- expose AstraCipher as AI agent tools
@astracipher/a2a-adapter	Google A2A protocol adapter for agent-to-agent auth

Platform & Premium Modules (Proprietary --- astracipher-platform)

Component	Description
@astracipher/server	Production verification server (PostgreSQL, org management, API keys)
@astracipher/dashboard	React dashboard for agent identity management
10 compliance modules	DPDP, SEBI, RBI, EU AI Act, GDPR, HIPAA, NIST, SOC 2, ISO 42001, UK AI Safety

Cryptography

AstraCipher uses hybrid post-quantum + classical cryptography by default:

Algorithm	Standard	Purpose
ML-DSA-65	FIPS 204	Post-quantum digital signatures
ECDSA P-256	FIPS 186-5	Classical digital signatures
ML-KEM-768	FIPS 203	Post-quantum key encapsulation
Hybrid Mode	---	Both PQC + classical must validate

Built on audited libraries: @noble/post-quantum and @noble/curves.

Why hybrid? Classical ECDSA provides battle-tested security today. ML-DSA protects against quantum attacks. Both must validate --- so you get defense-in-depth against both classical and quantum adversaries.

Competitive Positioning

	AstraCipher	Keycard (a16z)	Aembit	Microsoft Entra Agent ID
Open source	BSL 1.1	Closed	Closed	Closed
Post-quantum crypto	ML-DSA + ECDSA hybrid	No	No	No
W3C DID standard	Yes	No	No	Partial
MCP native	Yes	Yes	No	No
Compliance modules	10+ frameworks	No	No	No
Self-hosted option	Yes	No	No	No
Vendor lock-in	None	Platform	Platform	Azure

Development

# Clone the repo
git clone https://github.com/AstraFintechLabs/astracipher.git
cd astracipher

# Install dependencies
npm install

# Build all packages
npx turbo build

# Run tests
npx turbo test

# Run the CLI locally
npx ts-node packages/cli/src/index.ts --help

Project Structure

astracipher/                         # Public repo (BSL 1.1)
+-- packages/
|   +-- crypto/                    # PQC crypto primitives (ML-DSA, ML-KEM, ECDSA)
|   +-- core/                      # Protocol implementation (DIDs, VCs, trust chains)
|   +-- cli/                       # CLI tool
|   +-- sdk-python/                # Python SDK
|   +-- compliance-core/           # Compliance engine framework
+-- integrations/
|   +-- mcp-server/                # MCP integration
|   +-- a2a-adapter/               # Google A2A adapter
+-- e2e-test.mjs                   # E2E test suite (67 tests)
+-- .github/workflows/             # CI/CD pipeline

The production server, dashboard, and premium compliance modules (DPDP, SEBI, RBI, EU AI Act, GDPR, HIPAA, NIST, SOC 2, ISO 42001, UK AI Safety) are in the private astracipher-platform repository.

License

Business Source License 1.1 (BSL 1.1)

• Use: Free to use, modify, and self-host for any purpose
• Restriction: Cannot create a competing hosted agent identity/compliance service
• Change Date: February 18, 2030 (converts to Apache License 2.0)
• Full text: LICENSE

This means: startups, enterprises, and developers can freely use AstraCipher in their products. The only restriction is you can't take this code and launch a competing AstraCipher-as-a-Service offering.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

Built by

Astra Fintech Labs --- Building trust infrastructure for the AI agent economy.

---

AstraCipher: Because in a world of autonomous AI agents, identity isn't optional.